UCL has acquired licenses for UCL users to use the enterprise version of LastPass. This blog article attempts to explain what LastPass is, why you should use it, and how to get a UCL LastPass account.

Why use a password manager like LastPass?

So, what is LastPass? LastPass is a password manager that allows you to store all your passwords encrypted in one place. The advantage of using a password manager over other methods of storing passwords is that you only ever have to remember one password instead of hundreds for all the individual accounts that you have. This is probably a good time to mention that you should never re-use a password for more than one account, if one account is compromised it could compromise all accounts that you have that use that same password. It’s really not worth the risk.

LastPass also allows you to share passwords with other LastPass users, so it’s ideal for using in teams that need to share passwords.

2 Factor Authentication

We highly recommend that you use 2 factor authentication with LastPass, this helps to protect against risks such as key logging software – by using 2 factor authentication if someone was to get your LastPass password they would not be able to access your account without your authenticator code. LastPass allows you to use authenticators such as Google Authenticator, LastPass Authenticator and many others.

How to get a UCL LastPass account

• We recommend that you download the browser plugin from LastPass and/or the app from the app store for your mobile.
• The browser plugin has been pre-installed on all Desktop@UCL Windows 10 machines.
• Then email isg@ucl.ac.uk who will then provision an account for you.

The license we have for LastPass provides two password vaults, one for UCL related passwords and one for personal passwords.  The one for personal passwords can be taken with you if you leave UCL and used with the free consumer version of LastPass.

Training options

LastPass is intuitive and easy to use, however they do provide training materials which can be found through the link below:

https://support.logmeininc.com/lastpass/help/use-the-self-service-training-portal-lp010031

If you have any questions or would like further information, just send us an email: isg@ucl.ac.uk.

We are planning on regularly posting recent phishing email examples that are received by users at UCL. This is the first one with some ideas on what to look out for in this and other phishing emails:

1. The sent from address – the sent from address is somewhat random, it is not a UCL email address, in fact in this case it is an email address from the Government of Bermuda!
2. The sent to address – legitimate emails should be addressed to your actual email address.
3. The subject line – there is no Microsoft Active Directory team at UCL. It’s an unusual subject line, it doesn’t explain the contents of the email.
4. The opening line – phishing emails often open with ‘Dear User’, in this case the email says ‘Dear E-mail User’, a legitimate email should use your actual name.
5. The sense of urgency – phishing emails often try to scare users into doing something quickly without thinking about it properly, in this case they are asking the user to respond by clicking the dodgy link to avoid their account being closed.
6. The link / domain – you cannot see from the above screenshot but the link does not go to a UCL domain, it goes to a random website. Remember to hover over a link to see where it’s going before you click on it.
7. The signature – there is no Microsoft Active Directory team at UCL, if you are ever in doubt please check with ISD.

One thing to bear in mind is that easier phishing emails like the one above have been designed so that they could be relevant to any organisation. Ask yourself when reading a possible phishing email if it is relevant to you and UCL.

Of course, this example is a fairly easy one to spot – there will be others that are more targeted and harder to identify. As always, if in doubt please ask us.

No trick, just treat!

Tell us your thoughts and win a £25 Amazon voucher!

We are at the point where we are planning our vision for improving our Information Security Awareness programme. We need your help to give us feedback on what we currently do (if you know) and give us some new ideas on what we can do to improve our programme in the future!

Think about how you would like us to contact you, what areas of information security do you want to know more about, and what sort of articles would you like to see on our team blog. Any ideas are welcome.

In return, all responses will be entered into a random prize draw for a £25 Amazon voucher. Entries must be sent using a UCL email address and if the voucher cannot be collected in person, then it will only be posted to a UCL mail address. Send entries to isg@ucl.ac.uk – the winner will be contacted on Friday 30th November.

So get those thinking caps on, and help us improve our Information Security Awareness programme – Good Luck!

Something Phishy this way comes

We try to point out to people how to spot emails which are phishing attacks. We would like everyone to be a little cautious and think for a moment before they click on a link or open an attachment. However sometimes genuine emails are written in such a way they start to look like a phishing attack.  We don’t want anyone to miss out on genuine emails nor do we want people to get comfortable clicking on things that look like phishing attacks.

So we thought we would offer a little advice on how to avoid looking like a criminal trying to steal someones identity.

How not to look like a phish

Use a UCL email address to send out UCL emails. Phishers often use look alike domains but should not have access to genuine internal UCL accounts.

Don’t use link shortening services like bit.ly as those are often used by phishers to hide where they are really connecting you to.

If you are referring people to an externally hosted site consider including a link to a page on the UCL website as well. The UCL page can talk about the mailing and show the address you are going to direct people to. This lets people check if a mailing is genuine or not.

Use a spell checker and think about how readable your email is before you send it.  Many phishers don’t have a good command of English and don’t send particularly business like emails.

Thought of an idea I have not mentioned here?  Why not add it as a comment?

Finding out if you’ve been compromised!

This is the first in a series of blog posts on ideas for how you can help look after yourself when it comes to information security.

Have you come across the website www.haveibeenpwned.com?

It’s a website that allows you to check if an account has been compromised in a data breach. It cannot of course tell you 100% that it knows about all possible compromised accounts, but it’s a very good starting point!

It’s a free and quick tool that also allows you to sign up for the ‘Notify me’ service which will tell you if your account comes up as compromised in the future. The data comes from aggregated breaches that have been publicly released.

The UCL Information Security Group has signed up for the ‘Notify me’ service and receives reports for UCL accounts on a regular basis.

If one or more of your accounts does show up, try not to panic. Bear in mind the date of the breach, have you changed your password since then? If not, changing your password would be a good idea. Using a password manager with 2-factor authentication is also a good idea – more on that in the next blog post.

So, give it a go, have you been pwned?

We are seeing another increase in criminals attempting to profit from users of the UCL email system. This particular attack relies on social engineering rather than a technical approach or, to be more blunt, extortion. The criminal emails you and says they hacked your system. They have copies of all your files, your browser history or even photographs or video taken using your webcam.

How the attack works

The criminal might share some information to prove they have accessed your system, a common example is the login details for a site you have visited previously. The attacker tells you they have installed malware on your computer and the only way to prevent them trashing your computer and publishing all the stolen information is to pay a ransom, usually in bitcoins.
Of course criminals lie, so it is very unlikely they have hacked you at all. Much more likely is that there has been a data breach which disclosed the username and password you use at a particular website.

The criminal hopes that by sharing this small amount of information with you, they can trick you into thinking they have much more of your information and get you to pay the ransom.
Similar emails will have been sent to hundreds or thousands of other people and even if only 1% of the people who receive the email pay up it is still very profitable for the criminal.

What should you do?

So what should you do? Firstly never pay a ransom, this only makes it more likely you will be targeted again and again. Secondly if they have sent you login details for a site then change it immediately and if you have reused that password in multiple places change it in all of them. Thirdly move on with your life as the risk they have actually got access to your data, when they make a threat like this, is so small you are more likely to be struck by lightning.

UCL is currently seeing a large number of emails claiming to be from HMRC and to be about how to claim your tax refund.  These are an attack known as phishing.

Unfortunately these are not from HMRC but from a criminal who want to trick people into sharing personal information. In particular they are hoping to obtain bank account information which could be used to steal money from you.  So please do not open these emails, click on any links they contain or open any attachments.

Most attacks of this type attempt to install malware to your device so they can carry out other attacks such as:

• Stealing your documents and photos
• Activating your camera and microphone to spy on you
• Encrypting your files and demanding a ransom
• Or even using your computer as a launching point to attack other people.

So please think twice before you click on links or attachments you are sent. If you want to report receiving this sort of email you can do this at https://www.actionfraud.police.uk/ and that site also has some excellent advice on what to do if you have shared information with a criminal.

Phishing is when someone malicious sends an email pretending to be from a legitimate person or organisation –  the email will most likely ask for details such as passwords or financial information, but it can also ask you to download a malware infected attachment or ask you to click on a link to a compromised website.

Phishing has long been a problem, and something that we see targeted at UCL almost constantly. A successful phishing attack is an easy way into an organisation that doesn’t involve a lot of skill or effort on behalf of the malicious attacker. Once in, an attacker can gain access to all sorts of information (personal, financial, sensitive), they can steal that information and destroy it. An attacker can also gain control of your computer!

Due to the frequency of phishing attempts and the seriousness of the consequences, the UCL Information Security Group are about to embark on a phishing campaign that will involve sending simulated phishing emails to staff. We hope that staff won’t respond to the phishing emails, however the campaign is intended to help us identify areas that need more education and support, as well as raising awareness on how staff can help protect themselves and UCL.

For more information on phishing and what to look out for: www.ucl.ac.uk/informationsecurity/phishing.

If you are ever unsure whether an email is legitimate, before you click or respond, just ask – phish@ucl.ac.uk.

Why classify information?

Information should be classified so that everyone with access knows how to protect it.

To protect information consistently, it is of paramount importance that there is a pan-organisational scheme for classifying information. This scheme should also inform users how information should be handled according to its requirements for confidentiality, integrity and availability. To elaborate further, the classification of data helps determine what baseline security controls are appropriate for safeguarding that data. By implementing an information classification scheme the organisation can endeavour to meet its legal, ethical and statutory obligations
Information classification can also protect the interests of the stakeholders of the organisation and about whom the organisation may hold information.

Information classification based on confidentiality ratings.

Levels of information classification

There are several levels of classification that can be applied to information. For example, HM Government Security Classification includes: Official, Secret and Top Secret which is based on 4 principles. Not all organisations may require such stringent principles when adopting an information classification scheme. However, each organisation must evaluate the risks in terms of reputational loss, loss of business, lawsuits, inadvertent disclosure of information. In some cases, an external partner may not share any further information if the organisation has been known to share information without appropriate controls e.g. encryption.

I’ve outlined some simple steps to help you get started.

Information Management Policy and guidance

It is important to develop an information management policy and guidance for your organisation. This should be commensurate with risks that your organisation may face and the expectations of your stakeholders. It is necessary to consider the legal and regulatory requirements of the country that your organisation operates in. It is also very helpful if a process for classifying and handling information is developed and adopted.

Awareness Training

Staff should undergo awareness training to ensure that they are aware of their responsibilities in managing information that they’ve been entrusted with. This can be tailored according to the kind of information that the staff deal with. Awareness training must be regularly carried out with periodic refresher courses as necessary.

At UCL, we have created a classification tool to help with classifying a specific information asset. See https://opinio.ucl.ac.uk/s?s=45808

If you are from UCL, please see the UCL Information Management Policy here:
Please do contact the Information Security Group if you need more information.

References:
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/715778/May-2018_Government-Security-Classifications-2.pdf

Phishing – What’s that?

Phishing is an email that fools targeted individuals into parting with private information. Mostly this includes credit card details, but could also involve tricking the victim to transfer money or installing malware on their device. In this blog, I will explain how to detect the majority of phishing emails and giveaway clues that might trick you into giving away confidential information

The art of the phish

Cyber criminals may research their targets well in advance in order to gain maximum benefit from the phish. As an example, the attacker may trawl the business social media sites, where the Personal Assistant of the CEO has mentioned their details online. The attacker crafts a very targeted mail to the PA which leads to the PA releasing private information.
You receive email from your bank regularly, but an email that threatens your account will be closed if you don’t respond urgently with your Secret Answer and card information may be a phishing attack.

The Anatomy of a phish

Some quick pointers on how to spot a phish

From Email address

The mail seems to have been sent from a legitimate organisation, but the FROM address is from a personal address. Is the email being sent to other people that you do not work with or do not know them either.
Just because you received an email from your friend does not mean that they sent it. Your friend’s account may have been compromised or their computer may have been infected with malware. If you received an email from a friend or a colleague that seems out of place, call them on the phone and inform them.

To

Be careful of an email that has a generic salutation. Are you expecting a mail from this organisation? An organisation that emails you should know your name

Content

Check for grammar and spelling mistakes. All reputed businesses proof read their mails before sending them. Is there a threat? Does the email require you to carry out an immediate action? This is not a good sign, as there is an urgency to get the recipient to make a mistake. Companies will not seek your personal information.
Will your mailbox be disabled overnight? Never! Check the University’s webpages, call the Service Desk and verify.
Is there an incentive? Did you win the lottery? Most definitely not! Did a prince leave you his legacy? Really? So offers that are too good to be true, are not true.

Links

Exercise caution here. Are you expecting this link? Hover your mouse over the link, does the link make sense? The link should reflect what is mentioned in the content.

Attachments

Is there an attachment that you are being asked to open? Are you expecting the attachment? Click only if you are expecting an attachment in the format (extension) that is shown.

3 steps to avoid getting phished

1. Think before clicking on links or attachments
2. If it looks ‘phishy’ it most certainly is. Report it to the ServiceDesk or verify with the sender.
3. You are the last line of defence, if in doubt, throw it out!